Play interactive tourEdit tour

## Overview

### Detection

Phisher
 Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Yara detected Phisher
Found iframes
HTML body contains low number of good links
HTML title does not match URL

### Classification

 System is w10x64iexplore.exe (PID: 7112 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 7156 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7112 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\ZfpGsvFNKRgtdlqy[1].htmJoeSecurity_Phisher_2Yara detected PhisherJoe Security

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### Phishing:

 Yara detected Phisher Show sources
 Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\ZfpGsvFNKRgtdlqy[1].htm, type: DROPPED
 Found iframes Show sources
 HTML body contains low number of good links Show sources
 Source: http://submit.trmnx-ext.com/unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZe HTTP Parser: Number of links: 0 Source: http://submit.trmnx-ext.com/unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZe HTTP Parser: Number of links: 0
 HTML title does not match URL Show sources
 Source: http://submit.trmnx-ext.com/unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZe HTTP Parser: Title: Terminix - EXT does not match URL Source: http://submit.trmnx-ext.com/unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZe HTTP Parser: Title: Terminix - EXT does not match URL
 None HTTPS page querying sensitive user data (password, username or email) Show sources
 Source: http://submit.trmnx-ext.com/unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZe HTTP Parser: Has password / email / username input fields Source: http://submit.trmnx-ext.com/unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZe HTTP Parser: Has password / email / username input fields
 META author tag missing Show sources
 Source: https://www.terminix.com/customer-support/privacy/ HTTP Parser: No
 META copyright tag missing Show sources
 Source: https://www.terminix.com/customer-support/privacy/ HTTP Parser: No
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 57322Connection: keep-aliveDate: Wed, 23 Sep 2020 18:49:44 GMTCache-Control: no-cacheContent-Encoding: gzipLast-Modified: Mon, 30 Dec 2019 19:55:04 GMTETag: "81b527dd72b51d482ab7c8de129f47ad"Server: AmazonS3X-Cache: Miss from cloudfrontVia: 1.1 666ff4ad81b3b60af3d2241160893ee3.cloudfront.net (CloudFront)X-Amz-Cf-Pop: ZRH50-C1X-Amz-Cf-Id: 5_ao72YqzcjG9f79kEKMQf6_kY4AYHpaO1VaTiYnXKBUiS9hK_4j1Q==Data Raw: 1f 8b 08 00 00 00 00 00 00 00 c4 bc 79 93 9c 58 96 2f f8 7f 9b f5 77 50 ab 6d fa 65 15 99 62 df b2 2b eb 3d 77 c0 c1 71 76 dc 01 67 ec 59 19 fb be 38 3b b4 f5 77 7f 44 48 99 29 29 22 94 ca 9a b1 19 5c 11 72 c1 e5 dc 73 ce 3d cb ef 77 c1 f4 b7 74 a8 ca bf ff eb bf fc eb bf fc 2d 8d bc 70 ff f6 6e 3f fe 56 45 83 f7 2e 48 bd ae 8f 86 5f de 8f 43 fc 13 f5 1e fc f5 e2 90 0d 65 f4 f7 6b d4 55 59 9d 2d ef 7e 7a c7 39 d7 bf 81 1f cf 7e 1a d2 0f 6b 19 bd 1b d6 36 fa e5 fd 10 2d 03 18 f4 fd fb e7 69 de 7d 3a fe fa e3 67 df 7f f6 a3 b8 e9 a2 2f 4e 79 f1 10 75 ef fe eb f7 53 4f c7 4f 55 b3 fd e4 37 cb 4f 7d b6 65 75 f2 f3 3b bf e9 c2 a8 7b 3a f5 9f 5f 8d 9c 23 bf c8 86 ef 1b fc 87 83 fe fb 73 d5 9f 5c f6 99 aa 7e 13 ae 5f eb 19 37 f5 f0 24 31 fa f9 1d 0c 41 ff d7 5b 92 5e bb d5 f7 82 22 e9 9a b1 0e 7f 7e f7 ef 31 f4 f4 f9 4a db a0 29 9b 6e bf 88 22 a8 87 e1 5f 5d 6c bd 30 7c b6 e3 eb bb 2a af 4b b2 fa e5 f9 67 55 63 af ca ca f5 e7 77 87 2e f3 ca 1f df 09 51 39 45 43 16 78 3f be eb bd ba ff a9 8f ba 2c 7e ed be 39 ca 92 74 f8 f9 5d dd 74 95 57 be 36 e2 39 12 de 18 50 66 75 f4 53 fa 49 04 fc b5 21 4d 9f 0d 59 b3 6b dc 45 a5 37 64 53 f4 b5 1b c6 ae 7f f2 43 18 c5 de 58 0e 6f f9 38 ab 92 af 5d 5c 79 cb 4f 73 16 0e e9 8b d5 79 3a 7e 55 c8 1b 87 e6 4f 08 fd a9 ea 7f ca ea 3d 66 db e6 49 dd a6 de 63 35 dc 2d f7 b3 60 dc 7f de 92 f4 a1 8c e2 e1 45 f8 94 8d b7 6b f0 7c e9 df b2 aa 6d ba c1 ab df b4 f0 43 50 46 5e 17 ef a9 f8 95 98 bf 6e 4d 53 7d e9 d9 d7 6f 7c 99 7f bf 5f 7a 35 0f 83 7d 69 a3 7a 57 f1 fd bb f7 5f b9 2f cc fa b6 f4 f6 58 1a 3c bf 8c fe 78 ea d7 e5 3f 5d 7d ca c5 21 fd 13 4b f0 db d4 59 fd 1c 5a 7e d9 04 c5 57 ea 4d 51 f7 14 d8 e5 4f 5e 99 25 7b 70 55 59 18 be ad e6 ee 95 ea 65 f4 7c 4a a4 fd 03 77 51 f5 d6 bd a5 e7 47 e5 37 0a 03 f4 81 22 f1 2f ef ff e8 da 8f d9 8d 85 4f 9f 37 62 be 6d 9e 43 ed 2d d7 bf 66 f8 1f e7 eb 47 c3 f6 ca 37 0c 4f 61 03 7d 78 45 3b f0 af ef cc a7 8c ee 9f 5c b3 67 e6 63 cc ba 28 dc 1d de 8e 43 ff ee af e0 1b be e8 a3 32 0a 86 9f 7f 7e 4a 92 68 69 bd 3a 7c 73 ed ea a6 7e 73 39 fe d7 73 fd 0f 9b 60 ac f6 e8 7b 37 76 e5 4f 6d 17 ed 51 f4 c3 5f be 96 f7 71 c6 af cf 3e 1d 5f 16 58 ef e9 f3 95 91 5f cc f9 99 fa 69 33 bd 0c d5 97 22 d1 a7 cf 4b 91 af 4a 7f 76 dc ff fd b1 51 46 95 97 95 ef ff f7 8b c2 f2 a9 93 79 6d bb 27 85 57 07 d1 0b 27 7d 3e ec 53 ff ea bc 30 1b fb 97 e5 fe 8f 2e ff 66 c9 4f 9f 02 71 4e b3 e1 eb b9 be e8 19 59 9d ee ed 61 78 75 9e bd f8 b4 cb bb be 29 b3 f0 dd bf 07 cf c7 b7 fa 74 ea 85 cd fc 24 71 87 1d 4f d9 b5 df 8b ec 3f 5d e2 7b 3 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Sep 2020 18:49:43 GMTContent-Type: application/javascript; charset=utf-8Content-Length: 14539Connection: keep-aliveAccess-Control-Allow-Origin: *Cache-Control: public, max-age=30672000Content-Encoding: gzipETag: "5eb03cf3-b12d"Last-Modified: Mon, 04 May 2020 16:04:03 GMTTiming-Allow-Origin: *x-via: cfworker/kvcf-request-id: 055de5e31c0000d70d179e6200000001CF-Cache-Status: HITAge: 618565Expires: Mon, 13 Sep 2021 18:49:43 GMTAccept-Ranges: bytesVary: Accept-EncodingServer: cloudflareCF-RAY: 5d76727e9c39d70d-FRAalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 1f 8b 08 00 00 00 00 00 02 ff d4 bd 79 97 db 36 f2 28 fa bf 3e 05 84 71 64 c2 84 b6 6e db 71 c8 86 35 b6 e3 dc f1 3d f3 cb e4 65 f9 9d 77 9e 24 e7 82 24 b8 58 5c d4 5c a4 56 b7 f4 dd df 01 c0 05 a4 a8 b6 9d 64 e6 de fb 47 ab 49 2c 85 42 a1 50 a8 2a 14 c0 e9 b3 21 f8 ed e7 0f 93 4f 19 d8 cd 27 f3 57 93 2b e0 e7 f9 d6 98 4e 23 e6 04 34 0c ee d9 c4 0b 72 bf b0 26 41 32 95 25 a7 e0 d9 74 30 7d 06 ac 22 08 1d 60 27 71 4e 83 38 33 c0 87 9f 76 2f 27 9f 32 0c b6 45 7c b0 13 87 89 97 5f 98 9d c4 ce 3f d9 8e 85 df 27 11 2f 29 92 25 28 f1 ff 57 16 6d 43 9a f3 e2 1c b2 e6 16 b1 9d 07 49 ac b9 d8 47 0f 30 b1 3e 31 3b 87 84 90 fc b0 65 89 0b d8 dd 36 49 f3 6c 11 25 4e 11 b2 49 f9 4a 7c 0d 19 b0 aa ab 14 77 98 1b c4 6c 34 92 ff 27 34 72 16 f2 51 f3 91 e1 4e 38 d6 c4 d7 5c 74 42 5a ee 07 19 6e 9a 47 0f 3b 9a 02 9f b8 a3 91 2c 67 a6 2c 2f d2 f8 c1 62 59 6e d4 e5 3c f4 e0 11 6f 92 27 ff 4c f6 2c 7d 47 33 a6 a1 49 b6 0d 83 5c 83 06 44 26 07 12 13 6f 12 b2 d8 cb 7d 6c 91 57 26 e4 f8 79 cb d9 7a 34 2a 1f e7 cd e3 d5 7a a1 79 93 cc 0f dc 5c 43 b8 7e 42 46 5f ad 45 9d 5f 65 c7 63 05 56 3c be 5a 8f 46 de 64 9b 6c 35 64 36 58 98 e3 f9 b0 2a 3c 09 62 87 dd fd cb d5 e0 04 a2 d1 48 b3 c8 b7 12 e9 8d e9 26 a9 b6 21 33 73 73 13 73 90 a2 ca 66 6d 6e 74 1d 99 81 ab 6d 6e 2c c4 8b 78 a2 bb 36 d3 36 78 8e e1 6c 36 9b 41 64 56 4d dd 58 26 52 0a cc ea 02 0d 70 4b 40 7c e0 09 92 58 03 de 4c 45 43 88 b0 4b 66 e6 f5 6b d7 74 75 1d 05 ae 06 67 bc 77 b1 a0 c4 fc 26 2e 1b 42 71 d5 ca 0c cf 91 c9 c2 8c 01 2b 65 74 63 72 68 24 9e 7c 4a 82 98 83 3b c9 46 c6 73 ec 13 97 cc 70 c8 1f 6f c9 70 7e 86 d2 ed 42 36 c5 01 2c 7c 9d cc 0d 8d 97 c3 fe 6b 77 34 d2 62 12 62 97 f8 7c 64 ea 52 a3 11 2f c1 61 6e b0 4f e6 c8 6c 17 35 e7 37 2e 1f 8f 12 d1 18 bb 18 c2 d6 c0 58 04 42 95 3f 34 8b 08 2e 52 86 42 52 cb d2 e5 60 f0 71 e0 d4 18 cf 91 ec ad a5 f3 1a a7 16 3b 68 32 11 95 1c 0c ac 13 8e 93 77 49 ec 86 81 ad b0 32 7a 28 27 04 21 7c 2e 8c 46 5a 35 41 ea 9a 3c fd 74 3a 21 53 9d a8 e8 a1 7a 06 be 66 a1 87 dc 4f 93 3d 88 d9 1e fc 4c 63 8f bd Data Ascii: y6(>qdnq5=ewX\\VdGI,BP*!O'W+N#4r&A2%t0}"`'qN83v/'2E|_?'/)%(WmCIG0>1;e6Il%NIJ|wl4'4rQN8\tBZnG;,g,/bYn
 Source: global traffic HTTP traffic detected: GET /qs=ua-acacaefejchgadhgjejbhacigdhabababadhahcaccaihfachegahhhjcacb HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: wowlosefat.comConnection: Keep-Alive Source: global traffic HTTP traffic detected: GET /rm.php?c=dzln6bhddMJFcZIYlcjezA HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: bluewaterbest.com Source: global traffic HTTP traffic detected: GET /unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZe HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: submit.trmnx-ext.com Source: global traffic HTTP traffic detected: GET /ajax/libs/URI.js/1.18.2/URI.min.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://submit.trmnx-ext.com/unsub/SRsYlDE4kaLvFVl7gzHp2U5E0zN5Umy7DZ3wBzazb7agLHGi40xLzxtQAW9X1sZeAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdnjs.cloudflare.comConnection: Keep-Alive Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: submit.trmnx-ext.comConnection: Keep-Alive
 Found strings which match to known social media urls Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: wowlosefat.com
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Content-Length: 346Connection: keep-aliveDate: Wed, 23 Sep 2020 18:49:43 GMTServer: AmazonS3X-Cache: Error from cloudfrontVia: 1.1 666ff4ad81b3b60af3d2241160893ee3.cloudfront.net (CloudFront)X-Amz-Cf-Pop: ZRH50-C1X-Amz-Cf-Id: SEf4evg5CNRwYjZYg5USoZlgm5961Hj9xyAkb4lkEAIeMvRIiIz-Uw==Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 75 6c 3e 0a 3c 6c 69 3e 43 6f 64 65 3a 20 4e 6f 53 75 63 68 4b 65 79 3c 2f 6c 69 3e 0a 3c 6c 69 3e 4d 65 73 73 61 67 65 3a 20 54 68 65 20 73 70 65 63 69 66 69 65 64 20 6b 65 79 20 64 6f 65 73 20 6e 6f 74 20 65 78 69 73 74 2e 3c 2f 6c 69 3e 0a 3c 6c 69 3e 4b 65 79 3a 20 66 61 76 69 63 6f 6e 2e 69 63 6f 3c 2f 6c 69 3e 0a 3c 6c 69 3e 52 65 71 75 65 73 74 49 64 3a 20 43 41 44 44 45 41 39 39 33 46 32 43 33 46 30 34 3c 2f 6c 69 3e 0a 3c 6c 69 3e 48 6f 73 74 49 64 3a 20 64 74 32 39 56 48 2f 55 68 39 54 61 46 67 4c 77 46 51 61 72 59 44 44 48 58 42 39 2f 46 2b 66 2b 44 64 44 43 4c 75 6f 44 2f 4b 51 7a 6d 75 51 6f 6b 6c 54 34 2f 62 4b 51 59 51 76 74 78 54 7a 4e 47 64 64 4f 36 5a 4b 4d 45 47 38 3d 3c 2f 6c 69 3e 0a 3c 2f 75 6c 3e 0a 3c 68 72 2f 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: 404 Not Found

• Code: NoSuchKey
• Message: The specified key does not exist.
• Key: favicon.ico
• HostId: dt29VH/Uh9TaFgLwFQarYDDHXB9/F+f+DdDCLuoD/KQzmuQoklT4/bKQYQvtxTzNGddO6ZKMEG8=

 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740 Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730 Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729 Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725 Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799 Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792 Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791 Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790 Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822 Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786 Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780 Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819 Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770 Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49802 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800 Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765 Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760 Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759 Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751 Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747 Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
 Classification label Show sources
 Source: classification engine Classification label: mal48.phis.win@3/119@44/31
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7112 CREDAT:17410 /prefetch:2 Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7112 CREDAT:17410 /prefetch:2 Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Uses new MSVCR Dlls Show sources
 Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

## Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Drive-by Compromise1Windows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol5Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer4SIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi
• Java
• .Net C# or VB.NET
• C, C++ or other language
• Is malicious
• Internet